fs-lawrisk/lawrisk/api/auth.py

"""Auth blueprint: login page, authentication endpoints, and helpers."""
from __future__ import annotations

from functools import wraps
from typing import Any, Callable, Dict, Iterable, Optional, Tuple
from urllib.parse import urlparse

from flask import (
    Blueprint,
    Response,
    jsonify,
    redirect,
    render_template,
    request,
    session,
    url_for,
)

from lawrisk.services.auth_service import get_user_by_username, verify_password


auth_bp = Blueprint("auth", __name__, url_prefix="/fs-ai-asistant/api/workflow/lawrisk")

SESSION_USER_KEY = "auth_user"


def _safe_next_url(candidate: Optional[str]) -> str:
    """
    Sanitize next URL to prevent security issues.

    For security reasons, we don't preserve query parameters that might
    contain sensitive data like passwords. We only preserve the path.
    """
    if not candidate:
        return "/"
    raw = str(candidate).strip()
    if not raw:
        return "/"
    parsed = urlparse(raw)
    if parsed.netloc:
        safe_path = parsed.path or "/"
    else:
        safe_path = raw if raw.startswith("/") else f"/{raw}"

    # For security: strip ALL query parameters to prevent password leakage
    # Only preserve path, never query strings
    return safe_path


def _scrub_user_payload(user: Dict[str, Any]) -> Dict[str, Any]:
    department = None
    if user.get("service_department_id"):
        department = {
            "id": user.get("service_department_id"),
            "name": user.get("service_department_name"),
            "code": user.get("service_department_code"),
            "region_id": user.get("service_department_region_id"),
            "region_name": user.get("service_department_region_name"),
            "parent_id": user.get("service_department_parent_id"),
            "phone": user.get("service_department_phone"),
            "role": user.get("department_role"),
        }
    return {
        "id": user.get("id"),
        "username": user.get("username"),
        "display_name": user.get("display_name"),
        "role": user.get("role"),
        "grade": user.get("grade"),
        "department": department,
    }


def ensure_admin_access(
    allowed_roles: Optional[Iterable[str]] = None,
    *,
    prefer_json: bool = False,
) -> Tuple[Optional[Dict[str, Any]], Optional[Response]]:
    """Ensure the current session belongs to an admin role."""
    user = get_current_user()
    wants_html = (
        (not prefer_json)
        and request.method == "GET"
        and request.accept_mimetypes.accept_html
        and (
            request.accept_mimetypes["text/html"]
            >= request.accept_mimetypes["application/json"]
        )
    )
    if not user:
        if wants_html:
            # Sanitize URL to prevent password leakage in redirect
            safe_next = _safe_next_url(request.url)
            login_url = url_for("auth.login_page", next=safe_next)
            return None, redirect(login_url)
        return None, (jsonify({"error": "authentication required"}), 401)

    default_roles = ("admin",) if allowed_roles is None else allowed_roles
    allowed = {str(role).lower() for role in default_roles if role}
    current_role = str(user.get("role") or "").lower()

    if allowed and current_role not in allowed:
        if wants_html:
            # Sanitize URL to prevent password leakage in redirect
            safe_next = _safe_next_url(request.url)
            login_url = url_for("auth.login_page", next=safe_next, force=1)
            return None, redirect(login_url)
        return None, (jsonify({"error": "admin privileges required"}), 403)

    return user, None


def get_current_user() -> Optional[Dict[str, Any]]:
    data = session.get(SESSION_USER_KEY)
    if not isinstance(data, dict):
        return None
    return data


def login_required(view: Callable[..., Response]) -> Callable[..., Response]:
    @wraps(view)
    def wrapper(*args: Any, **kwargs: Any) -> Response:
        user = get_current_user()
        if not user:
            wants_html = request.method == "GET" and request.accept_mimetypes.accept_html and (
                request.accept_mimetypes["text/html"] >= request.accept_mimetypes["application/json"]
            )
            if wants_html:
                # Sanitize URL to prevent password leakage in redirect
                safe_next = _safe_next_url(request.url)
                login_url = url_for("auth.login_page", next=safe_next)
                return redirect(login_url)
            return jsonify({"error": "authentication required"}), 401
        return view(*args, **kwargs)

    return wrapper


def _truthy_param(value: Optional[str]) -> bool:
    if value is None:
        return False
    return str(value).strip().lower() in {"1", "true", "yes", "on", "force", "reauth"}


@auth_bp.get("/login")
def login_page() -> Response:
    user = get_current_user()
    force_login = _truthy_param(request.args.get("force") or request.args.get("reauth"))
    if user and not force_login:
        return redirect(request.args.get("next") or "/")
    return render_template("login.html")


@auth_bp.post("/auth/login")
def login_action() -> Response:
    payload = request.get_json(silent=True) or request.form
    username = (payload.get("username", "") if payload else "").strip().lower()
    password = (payload.get("password", "") if payload else "").strip()
    next_url = _safe_next_url((payload.get("next") if payload else None) or request.args.get("next"))

    if not username or not password:
        return jsonify({"error": "username and password are required"}), 400

    user = get_user_by_username(username)
    if not user or not verify_password(password, user.get("password_hash", "")):
        return jsonify({"error": "invalid credentials"}), 401
    if not user.get("is_active", True):
        return jsonify({"error": "account disabled"}), 403

    sanitized = _scrub_user_payload(user)
    session[SESSION_USER_KEY] = sanitized

    # Smart redirect: only apply redirect logic if no explicit next parameter was provided
    # For security, all users use the same default redirect to avoid exposing permission levels
    explicit_next = (payload.get("next") if payload else None) or request.args.get("next")
    if not explicit_next or next_url == "/":
        # Default redirect path: admin to db_admin, others to root
        if sanitized.get("role") == "admin":
            next_url = "/fs-ai-asistant/api/workflow/lawrisk/db_admin"
        else:
            # For non-admin, redirect to root or homepage if available
            next_url = "/fs-ai-asistant/api/workflow/lawrisk/"

    # Form submissions expect redirects; API clients expect JSON
    if request.content_type and "application/x-www-form-urlencoded" in request.content_type:
        return redirect(next_url)

    return jsonify({"message": "login successful", "user": sanitized, "redirect": next_url})


@auth_bp.post("/auth/logout")
def logout_action() -> Response:
    session.pop(SESSION_USER_KEY, None)
    if request.content_type and "application/x-www-form-urlencoded" in request.content_type:
        return redirect(url_for("auth.login_page"))
    return jsonify({"message": "logged out"})


@auth_bp.get("/auth/me")
def current_user_endpoint() -> Response:
    user = get_current_user()
    if not user:
        return jsonify({"authenticated": False}), 401
    return jsonify({"authenticated": True, "user": user})
feat: add super admin console 2025-11-14 15:46:18 +08:00			`"""Auth blueprint: login page, authentication endpoints, and helpers."""`
			`from __future__ import annotations`

			`from functools import wraps`
			`from typing import Any, Callable, Dict, Iterable, Optional, Tuple`
			`from urllib.parse import urlparse`

			`from flask import (`
			`Blueprint,`
			`Response,`
			`jsonify,`
			`redirect,`
			`render_template,`
			`request,`
			`session,`
			`url_for,`
			`)`

			`from lawrisk.services.auth_service import get_user_by_username, verify_password`


chore: reorganize directory structure and clean up root directory 2025-12-20 11:25:34 +08:00			`auth_bp = Blueprint("auth", __name__, url_prefix="/fs-ai-asistant/api/workflow/lawrisk")`
feat: add super admin console 2025-11-14 15:46:18 +08:00
			`SESSION_USER_KEY = "auth_user"`


			`def _safe_next_url(candidate: Optional[str]) -> str:`
feat: 组织架构权限等级自动管理系统 ## 主要功能 - 实现基于组织架构层级的权限等级自动计算 - 权限等级映射：根级(90)、二级(80)、三级(70)、四级+(60) - 自动根据从属关系计算权限，无需手动填写 ## 安全修复 - 修复密码在URL中泄露的严重安全问题 - 清理所有重定向URL的查询参数 - 前端敏感参数检测与警告 ## 用户体验优化 - 移除组织架构树的权限等级显示 - 简化新增/编辑部门的表单界面 - 实现智能登录跳转（基于角色自动跳转） - Tooltip跟随鼠标，修复滚动偏移bug ## 技术实现 - 前端：自动权限计算函数、拖拽功能、模态框交互 - 后端：_calculate_grade_by_parent()、_get_department_level() - 数据库：保留grade字段，自动同步层级关系 ## 修复的问题 - 组织架构管理按钮无响应 - 登录跳转404错误 - 权限等级手动设置繁琐 - Tooltip位置偏移 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-18 09:39:18 +08:00			`"""`
			`Sanitize next URL to prevent security issues.`

			`For security reasons, we don't preserve query parameters that might`
			`contain sensitive data like passwords. We only preserve the path.`
			`"""`
feat: add super admin console 2025-11-14 15:46:18 +08:00			`if not candidate:`
			`return "/"`
			`raw = str(candidate).strip()`
			`if not raw:`
			`return "/"`
			`parsed = urlparse(raw)`
			`if parsed.netloc:`
			`safe_path = parsed.path or "/"`
			`else:`
			`safe_path = raw if raw.startswith("/") else f"/{raw}"`
feat: 组织架构权限等级自动管理系统 ## 主要功能 - 实现基于组织架构层级的权限等级自动计算 - 权限等级映射：根级(90)、二级(80)、三级(70)、四级+(60) - 自动根据从属关系计算权限，无需手动填写 ## 安全修复 - 修复密码在URL中泄露的严重安全问题 - 清理所有重定向URL的查询参数 - 前端敏感参数检测与警告 ## 用户体验优化 - 移除组织架构树的权限等级显示 - 简化新增/编辑部门的表单界面 - 实现智能登录跳转（基于角色自动跳转） - Tooltip跟随鼠标，修复滚动偏移bug ## 技术实现 - 前端：自动权限计算函数、拖拽功能、模态框交互 - 后端：_calculate_grade_by_parent()、_get_department_level() - 数据库：保留grade字段，自动同步层级关系 ## 修复的问题 - 组织架构管理按钮无响应 - 登录跳转404错误 - 权限等级手动设置繁琐 - Tooltip位置偏移 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-18 09:39:18 +08:00
			`# For security: strip ALL query parameters to prevent password leakage`
			`# Only preserve path, never query strings`
feat: add super admin console 2025-11-14 15:46:18 +08:00			`return safe_path`


			`def _scrub_user_payload(user: Dict[str, Any]) -> Dict[str, Any]:`
			`department = None`
			`if user.get("service_department_id"):`
			`department = {`
			`"id": user.get("service_department_id"),`
			`"name": user.get("service_department_name"),`
			`"code": user.get("service_department_code"),`
			`"region_id": user.get("service_department_region_id"),`
feat(admin): 账号区域标识回填 2025-11-27 17:13:49 +08:00			`"region_name": user.get("service_department_region_name"),`
feat: add super admin console 2025-11-14 15:46:18 +08:00			`"parent_id": user.get("service_department_parent_id"),`
			`"phone": user.get("service_department_phone"),`
			`"role": user.get("department_role"),`
			`}`
			`return {`
			`"id": user.get("id"),`
			`"username": user.get("username"),`
			`"display_name": user.get("display_name"),`
			`"role": user.get("role"),`
			`"grade": user.get("grade"),`
			`"department": department,`
			`}`


			`def ensure_admin_access(`
			`allowed_roles: Optional[Iterable[str]] = None,`
			`*,`
			`prefer_json: bool = False,`
			`) -> Tuple[Optional[Dict[str, Any]], Optional[Response]]:`
			`"""Ensure the current session belongs to an admin role."""`
			`user = get_current_user()`
			`wants_html = (`
			`(not prefer_json)`
			`and request.method == "GET"`
			`and request.accept_mimetypes.accept_html`
			`and (`
			`request.accept_mimetypes["text/html"]`
			`>= request.accept_mimetypes["application/json"]`
			`)`
			`)`
			`if not user:`
			`if wants_html:`
feat: 组织架构权限等级自动管理系统 ## 主要功能 - 实现基于组织架构层级的权限等级自动计算 - 权限等级映射：根级(90)、二级(80)、三级(70)、四级+(60) - 自动根据从属关系计算权限，无需手动填写 ## 安全修复 - 修复密码在URL中泄露的严重安全问题 - 清理所有重定向URL的查询参数 - 前端敏感参数检测与警告 ## 用户体验优化 - 移除组织架构树的权限等级显示 - 简化新增/编辑部门的表单界面 - 实现智能登录跳转（基于角色自动跳转） - Tooltip跟随鼠标，修复滚动偏移bug ## 技术实现 - 前端：自动权限计算函数、拖拽功能、模态框交互 - 后端：_calculate_grade_by_parent()、_get_department_level() - 数据库：保留grade字段，自动同步层级关系 ## 修复的问题 - 组织架构管理按钮无响应 - 登录跳转404错误 - 权限等级手动设置繁琐 - Tooltip位置偏移 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-18 09:39:18 +08:00			`# Sanitize URL to prevent password leakage in redirect`
			`safe_next = _safe_next_url(request.url)`
			`login_url = url_for("auth.login_page", next=safe_next)`
feat: add super admin console 2025-11-14 15:46:18 +08:00			`return None, redirect(login_url)`
			`return None, (jsonify({"error": "authentication required"}), 401)`

			`default_roles = ("admin",) if allowed_roles is None else allowed_roles`
			`allowed = {str(role).lower() for role in default_roles if role}`
			`current_role = str(user.get("role") or "").lower()`

			`if allowed and current_role not in allowed:`
			`if wants_html:`
feat: 组织架构权限等级自动管理系统 ## 主要功能 - 实现基于组织架构层级的权限等级自动计算 - 权限等级映射：根级(90)、二级(80)、三级(70)、四级+(60) - 自动根据从属关系计算权限，无需手动填写 ## 安全修复 - 修复密码在URL中泄露的严重安全问题 - 清理所有重定向URL的查询参数 - 前端敏感参数检测与警告 ## 用户体验优化 - 移除组织架构树的权限等级显示 - 简化新增/编辑部门的表单界面 - 实现智能登录跳转（基于角色自动跳转） - Tooltip跟随鼠标，修复滚动偏移bug ## 技术实现 - 前端：自动权限计算函数、拖拽功能、模态框交互 - 后端：_calculate_grade_by_parent()、_get_department_level() - 数据库：保留grade字段，自动同步层级关系 ## 修复的问题 - 组织架构管理按钮无响应 - 登录跳转404错误 - 权限等级手动设置繁琐 - Tooltip位置偏移 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-18 09:39:18 +08:00			`# Sanitize URL to prevent password leakage in redirect`
			`safe_next = _safe_next_url(request.url)`
			`login_url = url_for("auth.login_page", next=safe_next, force=1)`
feat: add super admin console 2025-11-14 15:46:18 +08:00			`return None, redirect(login_url)`
			`return None, (jsonify({"error": "admin privileges required"}), 403)`

			`return user, None`


			`def get_current_user() -> Optional[Dict[str, Any]]:`
			`data = session.get(SESSION_USER_KEY)`
			`if not isinstance(data, dict):`
			`return None`
			`return data`


			`def login_required(view: Callable[..., Response]) -> Callable[..., Response]:`
			`@wraps(view)`
			`def wrapper(args: Any, *kwargs: Any) -> Response:`
			`user = get_current_user()`
			`if not user:`
			`wants_html = request.method == "GET" and request.accept_mimetypes.accept_html and (`
			`request.accept_mimetypes["text/html"] >= request.accept_mimetypes["application/json"]`
			`)`
			`if wants_html:`
feat: 组织架构权限等级自动管理系统 ## 主要功能 - 实现基于组织架构层级的权限等级自动计算 - 权限等级映射：根级(90)、二级(80)、三级(70)、四级+(60) - 自动根据从属关系计算权限，无需手动填写 ## 安全修复 - 修复密码在URL中泄露的严重安全问题 - 清理所有重定向URL的查询参数 - 前端敏感参数检测与警告 ## 用户体验优化 - 移除组织架构树的权限等级显示 - 简化新增/编辑部门的表单界面 - 实现智能登录跳转（基于角色自动跳转） - Tooltip跟随鼠标，修复滚动偏移bug ## 技术实现 - 前端：自动权限计算函数、拖拽功能、模态框交互 - 后端：_calculate_grade_by_parent()、_get_department_level() - 数据库：保留grade字段，自动同步层级关系 ## 修复的问题 - 组织架构管理按钮无响应 - 登录跳转404错误 - 权限等级手动设置繁琐 - Tooltip位置偏移 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-18 09:39:18 +08:00			`# Sanitize URL to prevent password leakage in redirect`
			`safe_next = _safe_next_url(request.url)`
			`login_url = url_for("auth.login_page", next=safe_next)`
feat: add super admin console 2025-11-14 15:46:18 +08:00			`return redirect(login_url)`
			`return jsonify({"error": "authentication required"}), 401`
			`return view(args, *kwargs)`

			`return wrapper`


			`def _truthy_param(value: Optional[str]) -> bool:`
			`if value is None:`
			`return False`
			`return str(value).strip().lower() in {"1", "true", "yes", "on", "force", "reauth"}`


chore: reorganize directory structure and clean up root directory 2025-12-20 11:25:34 +08:00			`@auth_bp.get("/login")`
feat: add super admin console 2025-11-14 15:46:18 +08:00			`def login_page() -> Response:`
			`user = get_current_user()`
			`force_login = _truthy_param(request.args.get("force") or request.args.get("reauth"))`
			`if user and not force_login:`
			`return redirect(request.args.get("next") or "/")`
			`return render_template("login.html")`


			`@auth_bp.post("/auth/login")`
			`def login_action() -> Response:`
			`payload = request.get_json(silent=True) or request.form`
			`username = (payload.get("username", "") if payload else "").strip().lower()`
			`password = (payload.get("password", "") if payload else "").strip()`
			`next_url = _safe_next_url((payload.get("next") if payload else None) or request.args.get("next"))`

			`if not username or not password:`
			`return jsonify({"error": "username and password are required"}), 400`

			`user = get_user_by_username(username)`
			`if not user or not verify_password(password, user.get("password_hash", "")):`
			`return jsonify({"error": "invalid credentials"}), 401`
			`if not user.get("is_active", True):`
			`return jsonify({"error": "account disabled"}), 403`

			`sanitized = _scrub_user_payload(user)`
			`session[SESSION_USER_KEY] = sanitized`

feat: 登录权限跳转安全优化与权限控制系统完善 ## 主要修改 ### 🔒 安全优化 (auth.py) - 统一所有用户登录跳转路径，防止权限暴露 - 所有用户默认跳转到 /fs-ai-asistant/api/workflow/lawrisk/db_admin - 移除基于权限等级的多路径跳转逻辑 - 移除调试字段 TEST_MARKER ### 🛡️ 权限控制系统 (licensing_repo.py) - 实现基于用户等级的权限过滤 - 超级管理员(grade=100)和市级管理员(grade>=90): 查看所有区域数据 - 区级管理员(grade<90): 只能查看自己区域数据 - 添加详细的权限拒绝日志记录 ### 👥 用户管理增强 (auth_service.py, v2.py) - 添加 delete_user_account 函数 - 实现用户删除API端点 - 防止删除最后一个管理员账号的安全检查 ### 🎨 UI优化 (super_admin.html) - 更新界面文案: "新的服务部门" → "绑定服务部门" ## 测试验证 - ✅ 所有用户统一跳转验证通过 - ✅ 权限控制逻辑验证通过 - ✅ 用户删除功能验证通过 - ✅ 自定义next参数支持正常 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-18 15:45:30 +08:00			`# Smart redirect: only apply redirect logic if no explicit next parameter was provided`
			`# For security, all users use the same default redirect to avoid exposing permission levels`
			`explicit_next = (payload.get("next") if payload else None) or request.args.get("next")`
			`if not explicit_next or next_url == "/":`
chore: reorganize directory structure and clean up root directory 2025-12-20 11:25:34 +08:00			`# Default redirect path: admin to db_admin, others to root`
			`if sanitized.get("role") == "admin":`
			`next_url = "/fs-ai-asistant/api/workflow/lawrisk/db_admin"`
			`else:`
			`# For non-admin, redirect to root or homepage if available`
			`next_url = "/fs-ai-asistant/api/workflow/lawrisk/"`
feat: 组织架构权限等级自动管理系统 ## 主要功能 - 实现基于组织架构层级的权限等级自动计算 - 权限等级映射：根级(90)、二级(80)、三级(70)、四级+(60) - 自动根据从属关系计算权限，无需手动填写 ## 安全修复 - 修复密码在URL中泄露的严重安全问题 - 清理所有重定向URL的查询参数 - 前端敏感参数检测与警告 ## 用户体验优化 - 移除组织架构树的权限等级显示 - 简化新增/编辑部门的表单界面 - 实现智能登录跳转（基于角色自动跳转） - Tooltip跟随鼠标，修复滚动偏移bug ## 技术实现 - 前端：自动权限计算函数、拖拽功能、模态框交互 - 后端：_calculate_grade_by_parent()、_get_department_level() - 数据库：保留grade字段，自动同步层级关系 ## 修复的问题 - 组织架构管理按钮无响应 - 登录跳转404错误 - 权限等级手动设置繁琐 - Tooltip位置偏移 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-18 09:39:18 +08:00
feat: add super admin console 2025-11-14 15:46:18 +08:00			`# Form submissions expect redirects; API clients expect JSON`
			`if request.content_type and "application/x-www-form-urlencoded" in request.content_type:`
			`return redirect(next_url)`

			`return jsonify({"message": "login successful", "user": sanitized, "redirect": next_url})`


			`@auth_bp.post("/auth/logout")`
			`def logout_action() -> Response:`
			`session.pop(SESSION_USER_KEY, None)`
			`if request.content_type and "application/x-www-form-urlencoded" in request.content_type:`
			`return redirect(url_for("auth.login_page"))`
			`return jsonify({"message": "logged out"})`


			`@auth_bp.get("/auth/me")`
			`def current_user_endpoint() -> Response:`
			`user = get_current_user()`
			`if not user:`
			`return jsonify({"authenticated": False}), 401`
			`return jsonify({"authenticated": True, "user": user})`